| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | |
| 8 #include "base/files/file_util.h" | |
| 9 #include "base/path_service.h" | |
| 10 #include "base/strings/string_split.h" | |
| 11 #include "base/strings/string_util.h" | |
| 12 #include "base/strings/stringprintf.h" | |
| 13 #include "net/cert/internal/parsed_certificate.h" | |
| 14 #include "net/cert/internal/signature_policy.h" | 7 #include "net/cert/internal/signature_policy.h" |
| 15 #include "net/cert/internal/test_helpers.h" | |
| 16 #include "net/cert/internal/trust_store.h" | 8 #include "net/cert/internal/trust_store.h" |
| 17 #include "net/cert/pem_tokenizer.h" | 9 #include "net/cert/internal/verify_certificate_chain_typed_unittest.h" |
| 18 #include "net/der/input.h" | |
| 19 #include "testing/gtest/include/gtest/gtest.h" | |
| 20 | 10 |
| 21 namespace net { | 11 namespace net { |
| 22 | 12 |
| 23 namespace { | 13 namespace { |
| 24 | 14 |
| 25 // Reads a data file from the unit-test data. | 15 class VerifyCertificateChainAssumingTrustedRootDelegate { |
| 26 std::string ReadTestFileToString(const std::string& file_name) { | 16 public: |
| 27 // Compute the full path, relative to the src/ directory. | 17 static void Verify(const std::vector<scoped_refptr<ParsedCertificate>>& chain, |
| 28 base::FilePath src_root; | 18 const std::vector<scoped_refptr<ParsedCertificate>>& roots, |
| 29 PathService::Get(base::DIR_SOURCE_ROOT, &src_root); | 19 const der::GeneralizedTime& time, |
| 30 base::FilePath filepath = src_root.AppendASCII( | 20 bool expected_result) { |
| 31 std::string("net/data/verify_certificate_chain_unittest/") + file_name); | 21 TrustStore trust_store; |
| 22 ASSERT_EQ(1U, roots.size()); |
| 23 trust_store.AddTrustedCertificate(roots[0]); |
| 32 | 24 |
| 33 // Read the full contents of the file. | 25 std::vector<scoped_refptr<ParsedCertificate>> full_chain(chain); |
| 34 std::string file_data; | 26 full_chain.push_back(roots[0]); |
| 35 if (!base::ReadFileToString(filepath, &file_data)) { | 27 |
| 36 ADD_FAILURE() << "Couldn't read file: " << filepath.value(); | 28 SimpleSignaturePolicy signature_policy(1024); |
| 37 return std::string(); | 29 |
| 30 bool result = VerifyCertificateChainAssumingTrustedRoot( |
| 31 full_chain, trust_store, &signature_policy, time); |
| 32 |
| 33 ASSERT_EQ(expected_result, result); |
| 38 } | 34 } |
| 39 | 35 }; |
| 40 return file_data; | |
| 41 } | |
| 42 | |
| 43 // Reads a test case from |file_name|. Test cases are comprised of a | |
| 44 // certificate chain, trust store, a timestamp to validate at, and the | |
| 45 // expected result of verification. | |
| 46 void ReadTestFromFile(const std::string& file_name, | |
| 47 std::vector<std::string>* chain, | |
| 48 TrustStore* trust_store, | |
| 49 der::GeneralizedTime* time, | |
| 50 bool* verify_result) { | |
| 51 chain->clear(); | |
| 52 trust_store->Clear(); | |
| 53 | |
| 54 std::string file_data = ReadTestFileToString(file_name); | |
| 55 | |
| 56 std::vector<std::string> pem_headers; | |
| 57 | |
| 58 const char kCertificateHeader[] = "CERTIFICATE"; | |
| 59 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE"; | |
| 60 const char kTimeHeader[] = "TIME"; | |
| 61 const char kResultHeader[] = "VERIFY_RESULT"; | |
| 62 | |
| 63 pem_headers.push_back(kCertificateHeader); | |
| 64 pem_headers.push_back(kTrustedCertificateHeader); | |
| 65 pem_headers.push_back(kTimeHeader); | |
| 66 pem_headers.push_back(kResultHeader); | |
| 67 | |
| 68 bool has_time = false; | |
| 69 bool has_result = false; | |
| 70 | |
| 71 PEMTokenizer pem_tokenizer(file_data, pem_headers); | |
| 72 while (pem_tokenizer.GetNext()) { | |
| 73 const std::string& block_type = pem_tokenizer.block_type(); | |
| 74 const std::string& block_data = pem_tokenizer.data(); | |
| 75 | |
| 76 if (block_type == kCertificateHeader) { | |
| 77 chain->push_back(block_data); | |
| 78 } else if (block_type == kTrustedCertificateHeader) { | |
| 79 scoped_refptr<ParsedCertificate> cert( | |
| 80 ParsedCertificate::CreateFromCertificateCopy(block_data)); | |
| 81 ASSERT_TRUE(cert); | |
| 82 trust_store->AddTrustedCertificate(std::move(cert)); | |
| 83 } else if (block_type == kTimeHeader) { | |
| 84 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader; | |
| 85 has_time = true; | |
| 86 ASSERT_TRUE(der::ParseUTCTime(der::Input(&block_data), time)); | |
| 87 } else if (block_type == kResultHeader) { | |
| 88 ASSERT_FALSE(has_result) << "Duplicate " << kResultHeader; | |
| 89 ASSERT_TRUE(block_data == "SUCCESS" || block_data == "FAIL") | |
| 90 << "Unrecognized result: " << block_data; | |
| 91 has_result = true; | |
| 92 *verify_result = block_data == "SUCCESS"; | |
| 93 } | |
| 94 } | |
| 95 | |
| 96 ASSERT_TRUE(has_time); | |
| 97 ASSERT_TRUE(has_result); | |
| 98 } | |
| 99 | |
| 100 void RunTest(const char* file_name) { | |
| 101 std::vector<std::string> chain; | |
| 102 TrustStore trust_store; | |
| 103 der::GeneralizedTime time; | |
| 104 bool expected_result; | |
| 105 | |
| 106 ReadTestFromFile(file_name, &chain, &trust_store, &time, &expected_result); | |
| 107 | |
| 108 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | |
| 109 for (const auto& cert_der : chain) { | |
| 110 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector( | |
| 111 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), | |
| 112 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, &input_chain)); | |
| 113 } | |
| 114 | |
| 115 SimpleSignaturePolicy signature_policy(1024); | |
| 116 | |
| 117 bool result = | |
| 118 VerifyCertificateChain(input_chain, trust_store, &signature_policy, time); | |
| 119 | |
| 120 ASSERT_EQ(expected_result, result); | |
| 121 } | |
| 122 | |
| 123 TEST(VerifyCertificateChainTest, TargetAndIntermediary) { | |
| 124 RunTest("target-and-intermediary.pem"); | |
| 125 } | |
| 126 | |
| 127 TEST(VerifyCertificateChainTest, UnknownRoot) { | |
| 128 RunTest("unknown-root.pem"); | |
| 129 } | |
| 130 | |
| 131 TEST(VerifyCertificateChainTest, IntermediaryLacksBasicConstraints) { | |
| 132 RunTest("intermediary-lacks-basic-constraints.pem"); | |
| 133 } | |
| 134 | |
| 135 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsCaFalse) { | |
| 136 RunTest("intermediary-basic-constraints-ca-false.pem"); | |
| 137 } | |
| 138 | |
| 139 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsNotCritical) { | |
| 140 RunTest("intermediary-basic-constraints-not-critical.pem"); | |
| 141 } | |
| 142 | |
| 143 TEST(VerifyCertificateChainTest, IntermediaryLacksSigningKeyUsage) { | |
| 144 RunTest("intermediary-lacks-signing-key-usage.pem"); | |
| 145 } | |
| 146 | |
| 147 TEST(VerifyCertificateChainTest, IntermediaryUnknownCriticalExtension) { | |
| 148 RunTest("intermediary-unknown-critical-extension.pem"); | |
| 149 } | |
| 150 | |
| 151 TEST(VerifyCertificateChainTest, IntermediaryUnknownNonCriticalExtension) { | |
| 152 RunTest("intermediary-unknown-non-critical-extension.pem"); | |
| 153 } | |
| 154 | |
| 155 TEST(VerifyCertificateChainTest, ViolatesBasicConstraintsPathlen0) { | |
| 156 RunTest("violates-basic-constraints-pathlen-0.pem"); | |
| 157 } | |
| 158 | |
| 159 TEST(VerifyCertificateChainTest, BasicConstraintsPathlen0SelfIssued) { | |
| 160 RunTest("basic-constraints-pathlen-0-self-issued.pem"); | |
| 161 } | |
| 162 | |
| 163 TEST(VerifyCertificateChainTest, TargetSignedWithMd5) { | |
| 164 RunTest("target-signed-with-md5.pem"); | |
| 165 } | |
| 166 | |
| 167 TEST(VerifyCertificateChainTest, IntermediarySignedWithMd5) { | |
| 168 RunTest("intermediary-signed-with-md5.pem"); | |
| 169 } | |
| 170 | |
| 171 TEST(VerifyCertificateChainTest, TargetWrongSignature) { | |
| 172 RunTest("target-wrong-signature.pem"); | |
| 173 } | |
| 174 | |
| 175 TEST(VerifyCertificateChainTest, TargetSignedBy512bitRsa) { | |
| 176 RunTest("target-signed-by-512bit-rsa.pem"); | |
| 177 } | |
| 178 | |
| 179 TEST(VerifyCertificateChainTest, TargetSignedUsingEcdsa) { | |
| 180 RunTest("target-signed-using-ecdsa.pem"); | |
| 181 } | |
| 182 | |
| 183 TEST(VerifyCertificateChainTest, ExpiredIntermediary) { | |
| 184 RunTest("expired-intermediary.pem"); | |
| 185 } | |
| 186 | |
| 187 TEST(VerifyCertificateChainTest, ExpiredTarget) { | |
| 188 RunTest("expired-target.pem"); | |
| 189 } | |
| 190 | |
| 191 TEST(VerifyCertificateChainTest, ExpiredTargetNotBefore) { | |
| 192 RunTest("expired-target-notBefore.pem"); | |
| 193 } | |
| 194 | |
| 195 TEST(VerifyCertificateChainTest, ExpiredRoot) { | |
| 196 RunTest("expired-root.pem"); | |
| 197 } | |
| 198 | |
| 199 TEST(VerifyCertificateChainTest, TargetNotEndEntity) { | |
| 200 RunTest("target-not-end-entity.pem"); | |
| 201 } | |
| 202 | |
| 203 TEST(VerifyCertificateChainTest, TargetHasKeyCertSignButNotCa) { | |
| 204 RunTest("target-has-keycertsign-but-not-ca.pem"); | |
| 205 } | |
| 206 | |
| 207 TEST(VerifyCertificateChainTest, TargetHasPathlenButNotCa) { | |
| 208 RunTest("target-has-pathlen-but-not-ca.pem"); | |
| 209 } | |
| 210 | |
| 211 TEST(VerifyCertificateChainTest, TargetUnknownCriticalExtension) { | |
| 212 RunTest("target-unknown-critical-extension.pem"); | |
| 213 } | |
| 214 | |
| 215 TEST(VerifyCertificateChainTest, IssuerAndSubjectNotByteForByteEqual) { | |
| 216 RunTest("issuer-and-subject-not-byte-for-byte-equal.pem"); | |
| 217 } | |
| 218 | |
| 219 TEST(VerifyCertificateChainTest, IssuerAndSubjectNotByteForByteEqualAnchor) { | |
| 220 RunTest("issuer-and-subject-not-byte-for-byte-equal-anchor.pem"); | |
| 221 } | |
| 222 | |
| 223 TEST(VerifyCertificateChainTest, ViolatesPathlen1Root) { | |
| 224 RunTest("violates-pathlen-1-root.pem"); | |
| 225 } | |
| 226 | |
| 227 TEST(VerifyCertificateChainTest, NonSelfSignedRoot) { | |
| 228 RunTest("non-self-signed-root.pem"); | |
| 229 } | |
| 230 | |
| 231 // Tests that verifying a chain with no certificates fails. | |
| 232 TEST(VerifyCertificateChainTest, EmptyChainIsInvalid) { | |
| 233 TrustStore trust_store; | |
| 234 der::GeneralizedTime time; | |
| 235 std::vector<scoped_refptr<ParsedCertificate>> chain; | |
| 236 SimpleSignaturePolicy signature_policy(2048); | |
| 237 | |
| 238 ASSERT_FALSE( | |
| 239 VerifyCertificateChain(chain, trust_store, &signature_policy, time)); | |
| 240 } | |
| 241 | |
| 242 // TODO(eroman): Add test that invalidate validity dates where the day or month | |
| 243 // ordinal not in range, like "March 39, 2016" are rejected. | |
| 244 | 36 |
| 245 } // namespace | 37 } // namespace |
| 246 | 38 |
| 39 INSTANTIATE_TYPED_TEST_CASE_P( |
| 40 VerifyCertificateChainAssumingTrustedRoot, |
| 41 VerifyCertificateChainSingleRootTest, |
| 42 VerifyCertificateChainAssumingTrustedRootDelegate); |
| 43 |
| 247 } // namespace net | 44 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master